postfix_pipe_t ... execute_no_trans

Daniel J Walsh dwalsh at redhat.com
Fri Jun 16 11:14:56 UTC 2006 

QingLong wrote:
> 	Hello!
>
>    Would you be so kind as to give me a hint why postfix's pipe command
>  tries to execute a custom script with execute_no_trans? Details follow.
>
>    Here we have a combination of Spamassassin and DrWeb virus scaner.
>  Due to lame DrWeb programs stupidity one has to create a shell script
>  that first passes a mail through spamassassin and then throws it to DrWeb.
>  I have created a custom selinux module of my own named ql_spamassassin
>  to (try to) put this combination under selinux control.
>  So I have defined my own type `ql_spamassassin_client_exec_t' for the script
>  and ql_spamassassin_client_t domain type. And I have
>   
Run the AVC's through audit2why?  You might be missing a role command.
> |
> | domain_entry_file(ql_spamassassin_client_t,ql_spamassassin_client_exec_t)
> | domain_auto_trans(postfix_pipe_t,ql_spamassassin_client_exec_t,ql_spamassassin_client_t)
> |
>  to allow postfix_pipe_t execute the script and perform the type transition.
>  The module has been compiled and loaded into the kernel quite successfully,
>  but I still get the execution denials:
> |
> | type=AVC msg=audit(1150125191.592:740): avc:  denied  { execute_no_trans } for pid=2793 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file
> | type=SYSCALL msg=audit(1150125191.592:740): arch=40000003 syscall=11 success=no exit=-13 a0=804e410 a1=804e0a8 a2=804e550 a3=3d09 items=1 pid=2793 auid=4294967295 uid=15625 gid=15625 euid=15625 suid=15625 fsuid=15625 egid=15625 sgid=15625 fsgid=15625 comm="pipe" exe="/usr/libexec/postfix/pipe"
> | type=AVC_PATH msg=audit(1150125191.592:740):  path="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh"
> | type=CWD msg=audit(1150125191.592:740):  cwd="/var/spool/postfix"
> | type=PATH msg=audit(1150125191.592:740): item=0 name="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh" flags=101  inode=56842 dev=09:09 mode=0100555 ouid=0 ogid=0 rdev=00:00
> |
>  The system is FC5. SElinux related packages:
> 	checkpolicy-1.30.3-1.fc5
> 	libselinux-1.30-1.fc5
> 	libselinux-python-1.30-1.fc5
> 	libsepol-1.12.6-1.fc5
> 	policycoreutils-1.30.10-1.fc5
> 	selinux-policy-2.2.40-1.fc5
> 	selinux-policy-targeted-2.2.40-1.fc5
> 	kernel-smp-2.6.16-1.2133_FC5
>  Please, give me a hint, what's wrong here. Thank you.
>
>       QingLong.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list